tags:

views:

27

answers:

2
+1  Q: 

How to let a user securely access files on the server

I'm working on a web app that allows scientists to submit to a high performance computing cluster through a web interface. The users fill in some data about their experiment, upload some files and the web app takes care of the rest.

At the end of the computation the users need to be able to access their resultant files. They are around 1 GIG in size.

I want to allow the users to browse these files but I don't know how to do it securely. Users should not be able to browse files that are not theirs. The files are already stored in a directory outside of webroot and owned by the Apache user.

I'm working in PHP, any advice on how to implement something like this?

A: 

I might suggest storing the files in distinct directories (by permission) and then opening up an FTP server with SSL for browsing/downloading the results.

Chris  2010-01-12 21:08:59
This might be secure, but the drawback is that a (typically an OS-level) user account is needed for each user of the web application. This is fine for intranet scenarios but fails if the application is open to the internet.
0xA3  2010-01-12 21:20:28
+1  A: 

My first reaction is, don't do it-go and get help. Security is not a job for the ill-prepared, no matter how well meaning. You need a consultant expert to advise and implement this portion, and then provide you with an authentication framework and API to the data.

Remember the recent global warming email scandal-scientific data may be sensitive.

Alex Brown  2010-01-12 21:12:53
+1 on this... it's not that hard to do, but really must be done right. And there are already plenty of people to ask in the HPC community. My suggestion is WebDAV over HTTPS and an LDAP server for authentication, and you should be able to find packages for setting that up properly.
Andrew McGregor  2010-01-12 22:28:08

related questions

Centos or Debian as a server OS ?
Where can I find a FTP Server with an API?
Technical issues when switching to an unmanaged Virtual Private Server (VPS) hosting provider?
Should I use a dedicated network channel between the database and the application server?
Do I need to leave gaps in a standard server rack?
Monitoring CPU Core Usage on Terminal Servers
Which hardware to buy for a new Linux server system?
Website Hardware Scaling
Ajax polling.
I ALMOST understand how email works, but I'm missing something.
How do you minimize the number of threads used in a tcp server application?
Perfmon File Analysis Tools
Cleanest & Fastest server setup for Django
Is there some way to PUSH data from web server to browser?
How do I secure my new web server (Server 2008)?
Subversion Management Tools
What kind of servers did you virtualize lately?
Closet server versus Colo?
Personal Linux web server
Error ADMA5026E for WebSphere Application Server Network Deployment
What means the error SECJ0222E in WebSphere Application Server 5.1
What is called a Node in a WebSpere Network Deployment
Can someone give me a working example of a build.xml for an EAR that deploys in WebSphere 6
Asynchronous multi-direction server-client communication over the same open socket?
Best way to access Exchange using PHP?